samba - Nov 2017 - Best practice for creating an RO LDAP User in AD...

Mandi! Denis Cardon via samba
  In chel di` si favelave...
> You can put your service accounts in an OU and add a GPO that deny
> logon/services/tasks locally.
Shortly come back.

I've created a 'Restricted' OU, a 'Restricted' group
(i'm short in
fantasy, today ;) and i've created an 'mta' user, both user and
group
in 'Restricted' OU, of course.
And i've added 'mta' to 'Restricted' group.

Clearly, in an DC, a xID get assigned to group:

	root at vdcsv1:~# getent group Restricted
	LNFFVG\restricted:x:3000026:

but by the same way 'mta' user get by default the 'Domain Users'
group
(and others, seems):

	root at vdcsv1:~# getent passwd mta
	LNFFVG\mta:*:3000025:10513:MTA Restricted:/home/mta:/bin/bash
	root at vdcsv1:~# id mta
	uid=3000025(LNFFVG\mta) gid=10513(LNFFVG\domain users)
gruppi=10513(LNFFVG\domain
users),3000025(LNFFVG\mta),3000026(LNFFVG\restricted),3000009(BUILTIN\users)

Ok, some question:

a) it make sense to modify the 'primaryGroupID: 513' so 'mta'
are not
 member of 'Domain Users'? Or after that i've to re-set all ACLs on
my
LDAP object to have a non-'Domain Users' member to read LDAP data?

b) if i modify 'primaryGroupID: 513', considering that user nor group
 have POSIX/rfc2307 data, could potentially brake something? On member
server?

c) there's some way, apart ldbmodify, to modify primaryGroupID:?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Tue, 7 Nov 2017 19:24:10 +0100
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! Denis Cardon via samba
>   In chel di` si favelave...
> 
> > You can put your service accounts in an OU and add a GPO that deny
> > logon/services/tasks locally.
> 
> Shortly come back.
> 
> I've created a 'Restricted' OU, a 'Restricted' group
(i'm short in
> fantasy, today ;) and i've created an 'mta' user, both user and
group
> in 'Restricted' OU, of course.
> And i've added 'mta' to 'Restricted' group.
> 
> Clearly, in an DC, a xID get assigned to group:
> 
> 	root at vdcsv1:~# getent group Restricted
> 	LNFFVG\restricted:x:3000026:
> 
> but by the same way 'mta' user get by default the 'Domain
Users' group
> (and others, seems):
> 
> 	root at vdcsv1:~# getent passwd mta
> 	LNFFVG\mta:*:3000025:10513:MTA Restricted:/home/mta:/bin/bash
> 	root at vdcsv1:~# id mta
> 	uid=3000025(LNFFVG\mta) gid=10513(LNFFVG\domain users)
> gruppi=10513(LNFFVG\domain
>
users),3000025(LNFFVG\mta),3000026(LNFFVG\restricted),3000009(BUILTIN\users)
> 
> Ok, some question:
> 
> a) it make sense to modify the 'primaryGroupID: 513' so
'mta' are not
>  member of 'Domain Users'? Or after that i've to re-set all
ACLs on my
> LDAP object to have a non-'Domain Users' member to read LDAP data?
> 
> b) if i modify 'primaryGroupID: 513', considering that user nor
group
>  have POSIX/rfc2307 data, could potentially brake something? On member
> server?
> 
> c) there's some way, apart ldbmodify, to modify primaryGroupID:?
> 
> 
> Thanks.
> 
Not sure what you are proposing is going to work, AD expects every user
to be a member of Domain Users, even though there is nothing in AD to
show membership. 
Do you require this user to visible on all domain machines ?
If windows works like winbind, then it probably won't be.

You can remove the 'mta' group easily by opening idmap.ldb in ldbedit,
find the object for 'mta' and then change the 'type' attribute
from
'ID_TYPE_BOTH' to 'ID_TYPE_UID'

It might help if you could explain how you are going to use your new
user 'mta'

Rowland

Mandi! Rowland Penny via samba
  In chel di` si favelave...
> Not sure what you are proposing is going to work, AD expects every user
> to be a member of Domain Users, even though there is nothing in AD to
> show membership. 
Ah.
> Do you require this user to visible on all domain machines ?
[...]
> It might help if you could explain how you are going to use your new
> user 'mta'
No. Probably quoting a message of a month ago does not help...

I simply need to have a/some LDAP access to do LDAP queries; this 'mta'
examples, need to me to do email/aliases procesing in exim.


Practically, users in 'Restricted' group does not need to logon nor to
do anything on the domain, apart logging into the LDAP and do some
''generic'' queries.
I set to users in that group a random/complex password and forgot about
it, but i'm thinking of doing the 'right' things, lowering the
account
privileges to the minimum.

Probably is a generic 'Active Directory' question, not a specific Samba
one, but... i've not found relevant info out there...


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)